Xen project Mailing List

Re: [PATCH 1/3] x86: Reject bad %dr6/%dr7 values when loading guest state

From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>

Date: Wed, 30 Aug 2023 15:39:23 +0100

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=UfUYJ6pgvUfAt8Qu+q/J+CYmOY2QUWi4QeQHOQDNnEU=; b=AwEjuhyVAxt0HR65SaZJwpqikw2iqrPb1jWSz/MYfL5QOA+V1Dp1848XQO9UCf3jPWcsZcXyVf+ZbMMIrudTeAkPn/AA/dJboRgGF9Pj0c3MfcrWDhHJahxy49nIbMfhP6qeqECTn2OwUcbdHPKclpSfsmQ87mjioOy2RMP6b+6yx808bOLEu3GmqDySF0sX+o1yUHTvhP3La1fOQQIfzPKEY3MJFThSzNcSEFfMKJAbqpBm1IQvJkX72iGpnTk46RvZTJZ/iEUp2n3xXmn45qUCg51POlXwPaUuOGfkTTY2Zrbl8Rikk5p36UmN4lmCgGSw8buOYbA2WXt8cLJZcA==

Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Pa+mdAaB7q3ITF+7Vnx5KFF2j/BSuSAaoD5DkYdAT3vq2Y8R2P1wAAGZRNG0OFWABhDfxTI9XMafezFY4363hwIihFPI3iKCXqNVWbsYIiNQLZbc75a8OowsI575uHrL8T5ufGTeghmxk3CznANy/Yv/ZJAdEyNpxUq8g8hhQaJJgO9Khdr8IOIoFJHPABH7GBz5STCV2k0UbrCvshkCOrAvDt2GxpSf/3dI4Kd82apHg8LWumU4g9NcIBQ1fO+w+7LKjkrQRbdOtUup9wGS2525s8YtBjUg7qCIC/GNKz9hdXUUgVEvhtUeFhED98I+24UoI5ChNlQ/tvyYvdda5w==

Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=citrix.com;

Cc: Roger Pau Monné <roger.pau@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Jinoh Kang <jinoh.kang.kr@xxxxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>

Delivery-date: Wed, 30 Aug 2023 14:39:38 +0000

Ironport-data: A9a23:e3WPc64WY87MEoiAYEM1cAxRtP3GchMFZxGqfqrLsTDasY5as4F+v mJJDDuAMvuLYDShfIglaoy180hV6JeEmoBgS1ZkqH1jHi5G8cbLO4+Ufxz6V8+wwm8vb2o8t plDNYOQRCwQZiWBzvt4GuG59RGQ7YnRGvynTraCYnsrLeNdYH9JoQp5nOIkiZJfj9G8Agec0 fv/uMSaM1K+s9JOGjt8B5mr9lU35pwehBtC5gZlPaAQ5AeE/5UoJMl3yZ+ZfiOQrrZ8RoZWd 86bpJml82XQ+QsaC9/Nut4XpWVTH9Y+lSDX4pZnc/DKbipq/0Te4Y5iXBYoUm9Fii3hojxE4 I4lWapc6+seFvakdOw1C3G0GszlVEFM0OevzXOX6aR/w6BaGpdFLjoH4EweZOUlFuhL7W5my PkRKB0wLTe5of/n5pCFG+devocbI5y+VG8fkikIITDxK98DGcqGeIOToNhS0XE3m9xEGuvYa 4wBcz1zYR/cYhpJfFAKFJY5m+TujX76G9FagAvN+exrvC6Ok0otjNABM/KMEjCObexTklyVu STt+GPhDwtBHNee1SCE4jSngeqncSbTAdtDROXnraY06LGV7l4tEC89ZXy5m/r6lgnkQYhiK FQw9AN7+MDe82TuFLERRSaQonSJoxodUNp4CPAh5UeGza+8yxmdLngJSHhGctNOnM03Qzsqk FyAmdyvBiZHv7icSHbb/bCRxRuiNC5QIWIcaCssSQoe/8KlsIw1lgjITNtoDOiylNKdJN3r6 zWDrSx7nLNKi8cOj/+/5Qqf327qoYXVRAko4AmRRnii8g5yeI+iYcqv9ETf6vFDao2eSzFto UQ5piRX18hWZbnlqcBHaL5l8G2BjxpdDADhvA==

Ironport-hdrordr: A9a23:zu4JNqF4UnO45zl+pLqE/8eALOsnbusQ8zAXPidKKSC9E/b4qy nKpp9w6faaskdyZJheo6HkBEDtex7hHP1Oj7X5X43SPzUO0VHARL2KhrGM/9SPIUHDH+dmpM NdT5Q=

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 30/08/2023 7:46 am, Jan Beulich wrote: > On 29.08.2023 15:43, Andrew Cooper wrote: >> --- a/xen/arch/x86/domain.c >> +++ b/xen/arch/x86/domain.c >> @@ -1074,8 +1074,27 @@ int arch_set_info_guest( >> #endif >> flags = c(flags); >> >> + if ( !compat ) >> + { >> + if ( c(debugreg[6]) != (uint32_t)c(debugreg[6]) || >> + c(debugreg[7]) != (uint32_t)c(debugreg[7]) ) >> + return -EINVAL; >> + } >> + >> if ( is_pv_domain(d) ) >> { >> + /* >> + * Prior to Xen 4.11, dr5 was used to hold the emulated-only >> + * subset of dr7, and dr4 was unused. >> + * >> + * In Xen 4.11 and later, dr4/5 are written as zero, ignored for >> + * backwards compatibility, and dr7 emulation is handled >> + * internally. >> + */ >> + for ( i = 0; i < ARRAY_SIZE(v->arch.dr); i++ ) >> + if ( !access_ok(c(debugreg[i]), sizeof(long)) ) >> + return -EINVAL; >> + >> if ( !compat ) >> { >> if ( !is_canonical_address(c.nat->user_regs.rip) || > One more thing here: v->arch.dr is an array of 4 elements, i.e. doesn't > cover %dr4 and up. Correct (as of the same changeset relevant in this comment). > That's not directly visible here, though, so the > comment ahead of the loop talking about those other 4 registers is a > little misleading. Would you mind moving it below the loop? Can do. ~Andrew

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.